CATEGORIES

Google Play Store Played Again – Tekya Clicker Hides in 24 Children’s Games and 32 Utility Apps

March 24, 2020
Research by Israel WernikDanil Golubenko , Aviran Hazum 

 

Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location. For example, in February 2020, the Haken malware family was installed in over 50,000 Android devices by eight different malicious apps, all of which initially appeared to be safe.

Recently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1 million times worldwide.  With the goal of committing mobile ad fraud, the malware – dubbed ‘Tekya’ – imitates the user’s actions in order to click ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.

Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).

Overview

The Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android (introduced in 2019) to imitate the user’s actions and generate clicks.

During this research, the Tekya malware family went undetected by VirusTotal and Google Play Protect. Ultimately, it was available for download in 56 applications downloadable on Google Play.

This campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games. The good news is, these infected applications have all been removed from Google Play.

However, this highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe.  Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.

The full list of infected apps is listed below.

 

Figure 1 – Google Play pages for some of the ‘Tekya’ applications

Technical Analysis

Upon installation of this application from Google Play, a receiver is registered (‘us.pyumo.TekyaReceiver’) for multiple actions:

  • ‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
  • ‘USER_PRESENT’ in order to detect when the user is actively using the device
  • ‘QUICKBOOT_POWERON’ to allow code running after device restart

Figure 2 – TekyaReceiver registration

This receiver has one purpose — to load the native library ‘libtekya.so’ in the ‘libraries’ folder inside the .apk file.

Figure 3 – TekyaReceiver’s code

Inside the constructor for the ‘Tekya’ library, a list of “Validator” objects (that don’t validate anything) is created.

Figure 4 – Part of the ‘Tekya’ constructor

Inside each “Validator”, another method called runs an internal function from the native library ‘libtekya.so’.

In the case of the ‘AdmobValidator’, the function calls the ‘c’ function, which then runs the ‘z’ function, which in turn calls the ‘zzdtxq’ function from the native library.

Figure 5 – AdmobValidator’s overridden function and calling internal native function

Inside the ‘libtekya.so’ native library, this function, which is called from the “Validator”s, is responsible for multiple actions:

  • calling ‘ffnrsv’ function – which is responsible for parsing the configuration file
  • calling the ‘getWindow’ and ‘getDecorView’ to get the needed handles
  • calling a sub-function, ‘sub_AB2C’ with the results of the functions above

 

Figure 6 – Tekya’s ‘zzdtxq’s native code

Lastly, the sub-function ‘sub_AB2C’ creates and dispatches touch events, imitating a click via the ‘MotionEvent’ mechanism

 

 


Figure 7 – VirusTotal output for ‘Tekya’ applications

How to protect yourself?

If you suspect you may have one of these infected apps on your device, here’s what you should do:

  • Uninstall the infected application from the device
  • Install a security solution to prevent future infections
  • Update your device Operation System and Applications to the latest version

Furthermore, enterprises need to ensure their employees corporate devices can be secured against sophisticated mobile cyberattacks like Tekya or Haken (or any other malware) with SandBlast Mobile.  To protect personal devices against attacks, Check Point offers ZoneAlarm Mobile Security.

 

Appendix 1 – IOC’s

Package_name Removed by Google/Developer Gp Installs Developer C&C sha256
caracal.raceinspace.astronaut Google 100000 Caracal Entertainment http://api.lulquid.xyz f1d32c17a169574369088a87f2df9e56df2abeeeda0b7f4c826da5f4f69d11e4
com.caracal.cooking Google 100000 Caracal Entertainment http://api.namekitchen9.xyz/api/subscription 46e41ef7673e34ef72fb3a971859aed5baaea8ea4a193fc6e74fc9fcbe033d67
com.leo.letmego Google 100000 Leopardus Studio http://api.leopardus.xyz/api/subscription b21cb5ebfb692a2db1c5cbbc20e00d90a4e04ca1c2c3f7b25cb0bbc13b43f5eb
com.caculator.biscuitent Google 50000 Biscuit Ent http://api.lulquid.xyz 734418efafd312e9b3e96adaac6f86cc1a4565f69baf831945788399bc9d1c5f
com.pantanal.aquawar Google 50000 Pantanal Entertainment http://api.pantanal.xyz 8fec77c47421222cc754b32c60794e54409a55ac5a002b300b5b35c4718fd0b0
com.pantanal.dressup Google 50000 Pantanal Entertainment http://api.pantanal.xyz 64e2c905bcef400e861469e114bf4eaf2b00b11c4d002f902b8d02c4074efb22
inferno.me.translator Google 50000 World TravelX http://api.molatecta.icu ebe3546208fd32d3f6a9e5daf21a724089febb1f61978bfd51f0edb520ae4348
translate.travel.map Google 50000 Lynx StudioX http://api.nhudomainuong.xyz f805e128b9d686170f51b1add35e45ea939d166b5ada4b6e900511518655f243
travel.withu.translate Google 50000 World TravelX http://api.molatecta.icu b7670b5d9a6643a54b800b4cb344f43b7826b2504cab949a96dd42e8c3fc5bc5
allday.a24h.translate Developer 10000 Royal Chow Studio http://api.royalchowstudio.xyz 29f2fd6ccf0f632e45dd1f15ec72985cfab56b0b4a07cb0b11b6011d1f7ebe32
banz.stickman.runner.parkour Google 10000 Biaz Inc http://api.lulquid.xyz/api/subscription e1027b6681e93d9763f19ea7e5ab2522362ebc27e29863e11822ca1e3b203fae
best.translate.tool Google 10000 Megapelagios http://api.megapelagios.site 043e15b8b9799723649141f60f68cfad8d2d4fabc0a348d0087118c7b5047020
com.banzinc.littiefarm Google 10000 Biaz Inc http://api.banzinc.xyz 5fab614ff6510b20a9579de940b88810d0c6fec220e202feef221d7d5c7aba3e
com.bestcalculate.multifunction Google 10000 Titanyan Entertainment http://api.lulquid.xyz 7b2670f7c8550aafcfbdb279446648073a9d099499c863a1380518b8edab435f
com.folding.blocks.origami.mandala Google 10000 Slardar Studio http://app.slardar.icu/api/subscription 2d6df88bd0ad7d442b731e5755df55be2febb0d57118b9b01edeabd5c5db4439
com.goldencat.hillracing Developer 10000 Golden Cat 94e256a3ce62564e1e61b612375c6be4d90c99849edcadfe05bf13863a1029e3
com.hexa.puzzle.hexadom Google 10000 MajorStudioX http://api.chauxincaidomainnua.icu 3eeae3f56011aa7b858d38fc7f60a580d3b90bdfe194a7d6ad67bea1680002c2
com.ichinyan.fashion Google 10000 Titanyan Entertainment f4b3143ec3091bc07cfb443efb6b076becad719438aeaf58cf1da65136aab74a
com.maijor.cookingstar Google 10000 MajorStudioX 57260286c49599a9b65851888b8f30ffe497c1f013bc6d760943789cbceb16fe
com.major.zombie Google 10000 MajorStudioX ffb5d8d7e8bc16c8664fb67a680e3aa2b7f4dae4f50e7bce9352edd51ff3e4fc
com.mimochicho.fastdownloader Google 10000 MochiMicho 41d8d9c910511a914b584f4a40cd12042abc69a83b8d70e92f66c870e6b34c45
com.nyanrev.carstiny Google 10000 Titanyan Entertainment
com.pantanal.stickman.warrior Google 10000 Pantanal Entertainment http://api.pantanal.xyz/api/subscription 45527951a533674be836f9efbc40ba207b6abac36bd05b065af79e4f2aa696cd
com.pdfreader.biscuit Google 10000 Biscuit Ent 215ff546710b96c69130cfef9b4d719a9866ceffd3c9cc2ba113e731a23309a6
com.splashio.mvm Google 10000 Biscuit Ent 74d7a572aa84b5deeed7fedf9eb1873a4bb38c4acd7a9c93992b61b07dcc7cdd
com.yeyey.translate Google 10000 World TravelX 967f136cb2824e8c49b3bde8e910ac7a93a64339a3e2a060a15fb745b1211487
leo.unblockcar.puzzle Google 10000 Biaz Inc 9ee67b541335b88b6649afe184ba75cac084e20bbc465d998bac05cc85d59cff
mcmc.delicious.recipes Google 10000 MochiMicho 6de03bf38e462fc9205e2a7cb49b7ed48d52bf84ec4f3aebdd84e31374832042
mcmc.delicious.recipes Google 10000 MochiMicho f33f5d7fd3909380582d821394c59dc78aa06113932143662d69733542ad571b
multi.translate.threeinone Google 10000 White Whale Studio 72f924b6c597a5eb68e4c35843ad6b3ffa7b71396abb2a4c8dafd39b9832a4c4
pro.infi.translator Google 10000 World TravelX 5d1ec6427f7f6fe49ac95687257818ef0a0890159cc14a9e866ddeabd1c2568b
rapid.snap.translate Developer 10000 Royal Chow Studio http://api.royalchowstudio.xyz 0045e2dc65a236fa05b18cbef767715cca4720ec3d3c8fb522264b8339669527
smart.language.translate Google 10000 Megapelagios 44b99da080701c14dd833f9f6c8f2fbc260299448dd5db701fc5b9e625db2556
sundaclouded.best.translate Google 10000 Sunda Clouded 30c9278c4907cf8fd13cbfa4bdbd47db8cce594871e08867a1f4282833e31e48
biaz.jewel.block.puzzle2019 Google 5000 Biaz Inc 93ce6082a22a56ae98c6381572d25356b00f65256d71f188687bdae03cff0ab4
biaz.magic.cuble.blast.puzzle Google 5000 Biaz Inc c75c5720befc162671f270b12891799cd4d9fd6f8d6ac0d586ef4109db6a6417
biscuitent.imgdownloader Google 5000 Biscuit Ent 3c943adc94489cc6c75bd5b6354c0af0f75f9d5710379e8cda02370352570156
biscuitent.instant.translate Google 5000 Biscuit Ent ce0161ca7702713251e21497ab2105fa4bf07e4f58f4622b64c4cbf2d86dd2fb
com.besttranslate.biscuit Google 5000 Biscuit Ent 0c3aa1e07366fe37a693bae4833ce713de6eab2874a480f054c8442589ba71e0
com.inunyan.breaktower Google 5000 Titanyan Entertainment a0ca0dfd9f0fc59b2f6f13ede6eb1585f5185431926beaae9d87d147fc7de445
com.leo.spaceship Google 5000 Leopardus Studio http://api.leopardus.xyz 31f7d64db00a1c3e93f8fa09d623df385d3d5a096f5abc6d00900f643239f073
com.michimocho.video.downloader Google 5000 MochiMicho 3aadee8c06edb4e3dddd4477943812dd08a922d50d2e4fa816a3a7a72db72768
fortuneteller.tarotreading.horo Developer 5000 Sunda Clouded http://api.sundaclouded.host 9475507507a46e377a05f2667b2551649d8ab9ccc4f8fa8c31abf1b34aaf0ea5
ket.titan.block.flip Google 5000 Titanyan Entertainment a6d7cb20d11557199ca8ceabff7c489743678c0851317f237f5e581dcb201782
mcmc.ebook.reader Google 5000 MochiMicho c18d820fef9f2e01c7e73e8576a931d74f6630554a95f04a3ef01ce5bcf6b816
swift.jungle.translate Google 5000 White Whale Studio http://api.whitewhalestudio.host a78bb13218c7f528d62df3b71e2033ec618f933f0f046e6f332e8ef6bac4559f
com.leopardus.happycooking Google 1000 Leopardus Studio 027385e60d35229a2c4357484b55485058804f09369305fe6ad69f0b30ff3076
com.mcmccalculator.free Google 1000 MochiMicho 3f537802dc5275e50c8e41ac464431731d01726b59538649453518f0619ac7bc
com.tapsmore.challenge Google 1000 Biscuit Ent 48135e74fe912dbaff83989ca85894826afcd98ea80dde61793d72c11073dddd
com.yummily.healthy.recipes Google 1000 MochiMicho 5a9ddb23df77fc305ffb66d2bf6570a3f7789846f17541eb7dfea40899724018
com.hexamaster.anim Google 500 Leopardus Studio faad1e3ea694e15f8817387d3409c5cad871c5953e2ef57df0573719f4fe20ee
com.twmedia.downloader Google 100 MochiMicho 5a87a8e648af47368c2cfd0fc2b4b75f04ddff76ab9266d2b3fa1ff928b31857
com.caracal.burningman Google 50 Caracal Entertainment bee86d3b154aed3ca7665ea5d7d6c2fc49e8454126e39b9887604cbb5f5a0474
com.cuvier.amazingkitchen Google 50 MajorStudioX a08253d1a857354c3f21238012b2e2db6036f64eff1d20978ff820f985afdb84
bis.wego.translate Google 0 3767f7dd5cadf7b725dbbbf70a0e9ae61addf59a17a3c6ea91399461a4f8e702
com.arplanner.sketchplan Google 0 http://api.maygaiproduct.icu/api/subscription 81947007337ed148665ae7ec6af26db36a9d9694fbdf8a4f41255dc0052a6b38
com.arsketch.quickplan Google 0 http://waws-prod-dm1-033.cloudapp.net/api/subscription 38edf2876f545329fd0694af182e431afb49fabc08439162567743b35daa02f2
com.livetranslate.best Google 0 MochiMicho 54361b941969577d83491a4f4b01cffb65399fa5c427575e7b45681cbf260997
com.lulquid.calculatepro Google 0 1c5ea6523bca5c85febde29f49e92fdbfbadd80078ef42d1e1efa800a008e072
com.smart.tools.pro Google 0 6fcfd045ca7dda7bb98eb912d554bb0bebcb0ebfacb5f26cbf09d6e9aa4bfb33
com.titanyan.igsaver Google 0 34b6a6fcf84883a2f3ec52531cdd1b84e21b41b7d146169fa04f07ca179095f3
hvt.ros.digiv.weather.radar Google 0 http://api.mantaalfredi.icu 22e4e534279ffa86ad5d543c71b4a678700758d0f8958c6dd1529807fd24c84a
md.titan.translator Google 0 fea92e6b30899b1d2733bb28758635edbf3916e1b8acd6b8b163d19bb33f4141
scanner.ar.measure Google 0 http://api.felinae.icu 1f864b9251eeff470529364fd48ad7d3e8a6a520f2088f6552aefcf53f4dfacd
toolbox.artech.helpful Google 0 http://api.kaluga.xyz/api/subscription 2ff57056dd17b8a43d46f342a440d3f04eb59f27074a39f6e47f3d70c03393ff
toolkit.armeasure.translate Google 0 http://api.somniosus.xyz 3eb62e52f0b361d60436bec366cfad64e180d9a4acb5f573476c32b11e1ee541

 

POPULAR POSTS

BLOGS AND PUBLICATIONS

  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks